The recent Auditor General Report on Municipal Allegations and Gaps in Provincial Oversight released on August 28, 2025, emphasized that cybersecurity should not just be “on the radar” for municipalities… Learn More
Author(s):
Jennifer S. Hanson, Jeffrey Kowall
published 10/15/2025
The recent Auditor General Report on Municipal Allegations and Gaps in Provincial Oversight released on August 28, 2025, emphasized that cybersecurity should not just be “on the radar” for municipalities but that cybersecurity policies and protocols should be prepared and implemented by municipalities that have not already done so.
The Auditor General found that a municipality failed to investigate a cybersecurity incident for root cause, missing a critical opportunity to understand how the incident occurred and how to prevent future breaches. The Auditor General confirmed that this incident “highlights the need for all municipalities to implement controls based on a recognized cybersecurity framework, to protect them from cybersecurity threats.”
Recommendation 1 from the Auditor General Report was that all municipalities implement, at minimum, the Canadian Centre for Cyber Security’s baseline cybersecurity controls where they are not already implemented.
Assessing Your Municipality’s Cybersecurity Readiness
Has your municipality implemented any cybersecurity controls?
Do you meet the baseline requirements?
Do you meet your required legal obligations?
The hours after discovering a security breach are crucial to ensure a timely cybersecurity incident assessment and response. Beyond being an important factor in restoring functionality to your systems expeditiously, having proper policies and protocols in place will help your municipality ensure its compliance with the legal requirements relating to data protection and cybersecurity breaches in a timely manner and mitigate against potential legal liability.
Having a regularly tested incident response plan in place means that in the event of a security breach, required steps are taken and no time is wasted.
Key Questions for Municipal Leaders
To ensure that the recommended baseline controls and your municipality’s legal obligations are met, consider the following questions:
Coordinating Efforts
Coordinating efforts with your senior management, technology team and legal advisors is crucial to ensuring that your municipality is best prepared for a cybersecurity incident when it occurs.
Learn more about how TDS can support you with your legal needs. If you need assistance with any legal matters, please complete the Client Intake Form on our website at www.tdslaw.com/intake-form/.
DISCLAIMER: This article is presented for informational purposes only. The content does not constitute legal advice or solicitation and does not create a solicitor client relationship. The views expressed are solely the authors’ and should not be attributed to any other party, including Thompson Dorfman Sweatman LLP (TDS), its affiliate companies or its clients. The authors make no guarantees regarding the accuracy or adequacy of the information contained herein or linked to via this article. The authors are not able to provide free legal advice. If you are seeking advice on specific matters, please contact Keith LaBossiere, CEO & Managing Partner at kdl@tdslaw.com, or 204.934.2587. Please be aware that any unsolicited information sent to the author(s) cannot be considered to be solicitor-client privileged.
While care is taken to ensure the accuracy for the purposes stated, before relying upon these articles, you should seek and be guided by legal advice based on your specific circumstances. We would be pleased to provide you with our assistance on any of the issues raised in these articles.
